feat: extracted from hello-nrfcloud/backend

Author: coderbyheart

.envrc.example

@@ -0,0 +1,8 @@
+export AWS_REGION=...                   # AWS region to use, e.g. eu-west-1
+export AWS_DEFAULT_REGION=$AWS_REGION
+export AWS_ACCESS_KEY_ID= ...           # Your AWS Access Key ID
+export AWS_SECRET_ACCESS_KEY=...        # Your AWS Secret Access Key
+
+# Suppress warnings caused by using the latest Node.js version
+export JSII_SILENCE_WARNING_UNTESTED_NODE_VERSION=1
+export NODE_NO_WARNINGS=1

.github/CODEOWNERS

@@ -0,0 +1 @@
+*   @coderbyheart @pudkrong

.github/workflows/cleanup.yaml

@@ -0,0 +1,92 @@
+name: Cleanup
+
+permissions:
+  id-token: write
+
+on:
+  workflow_dispatch:
+    inputs:
+      stackName:
+        description: "Name of the stack to clean"
+        required: true
+      openssl_lambda_tag:
+        description: "OpenSSL Lambda container tag to deploy"
+        required: true
+      http_api_mock_stack_name:
+        description: "Stack name of the HTTP API mock instance"
+        required: true
+env:
+  CI: 1
+  FORCE_COLOR: 3
+  JSII_SILENCE_WARNING_UNTESTED_NODE_VERSION: 1
+  STACK_NAME: ${{ github.event.inputs.stackName }}
+  OPENSSL_LAMBDA_CONTAINER_TAG: ${{ github.event.inputs.openssl_lambda_tag }}
+
+jobs:
+  cleanup:
+    runs-on: ubuntu-22.04
+
+    timeout-minutes: 30
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20.x"
+          cache: "npm"
+
+      - name: Install dependencies
+        run: npm ci --no-audit
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          # The role is set up via https://github.com/hello-nrfcloud/ci
+          # secrets.AWS_ACCOUNT_ID_CI is an organization secret
+          role-to-assume: |
+            arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID_CI }}:role/${{ github.repository_owner }}-ci-${{ github.event.repository.name }}
+          # vars.AWS_REGION_CI is an organization variable
+          aws-region: ${{ vars.AWS_REGION_CI }}
+
+      - name: Delete logs
+        run: ./cli.sh logs -X
+
+      - name: Destroy stack
+        run: npx cdk destroy --all -f
+
+      - name: Clean up SSM parameters
+        run: |
+          ./cli.sh configure-nrfcloud-account apiEndpoint -X
+          ./cli.sh configure-nrfcloud-account apiKey -X
+
+      - name: Delete ECR repositories
+        run: |
+          aws ecr delete-repository --force --repository-name ${{ env.STACK_NAME }}-openssl-lambda
+
+  cleanup-http-api-mock:
+    runs-on: ubuntu-22.04
+
+    timeout-minutes: 5
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20.x"
+          cache: "npm"
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          # The role is set up via https://github.com/hello-nrfcloud/ci
+          # secrets.AWS_ACCOUNT_ID_CI is an organization secret
+          role-to-assume: |
+            arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID_CI }}:role/${{ github.repository_owner }}-ci-${{ github.event.repository.name }}
+          # vars.AWS_REGION_CI is an organization variable
+          aws-region: ${{ vars.AWS_REGION_CI }}
+
+      - name: Delete HTTP API mock
+        run: |
+          npx @bifravst/http-api-mock destroy ${{ inputs.http_api_mock_stack_name }}

.github/workflows/deploy.yaml

@@ -0,0 +1,148 @@
+name: Deployment
+
+on:
+  workflow_dispatch:
+    inputs:
+      ref:
+        description: "Version to deploy"
+        required: true
+      openssl_lambda_tag:
+        description: "OpenSSL Lambda container tag to deploy"
+        required: true
+
+permissions:
+  id-token: write
+  packages: write
+
+env:
+  STACK_NAME: ${{ vars.STACK_NAME }}
+  AWS_REGION: ${{ vars.AWS_REGION }}
+  FORCE_COLOR: 3
+  JSII_SILENCE_WARNING_UNTESTED_NODE_VERSION: 1
+  REGISTRY: ghcr.io
+
+jobs:
+  print-inputs:
+    name: Print inputs
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Print inputs
+        run: |
+          echo ref=${{ github.event.inputs.ref }}
+          echo openssl_lambda_tag=${{ github.event.inputs.openssl_lambda_tag }}
+
+  docker:
+    name: Push Docker images to ECR
+
+    runs-on: ubuntu-22.04
+
+    environment: production
+
+    strategy:
+      matrix:
+        image:
+          - openssl-lambda
+        include:
+          - image: openssl-lambda
+            tag: ${{ github.event.inputs.openssl_lambda_tag }}
+
+    steps:
+      - name: Log in to the repo's container registry
+        uses: docker/login-action@5f4866a30a54f16a52d2ecb4a3898e9e424939cf
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Pull Docker image from repository registry
+        run: |
+          docker pull ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.image }}:${{ matrix.tag }}
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE }}
+          role-session-name: github-action-hello-nrfcloud-backend
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Get credentials for ECR
+        id: token
+        run: |
+          CREDS=$(aws ecr get-authorization-token | jq -r '.authorizationData[0].authorizationToken')
+          PARTS=($(echo $CREDS | tr ':' '\n'))
+          TOKEN=${PARTS[1]}
+          echo "token=$TOKEN" >> $GITHUB_OUTPUT
+          echo "::add-mask::$TOKEN"
+
+      - name: Get repository on ECR
+        id: repositoryUri
+        run: |
+          REPO_URI=$(aws ecr describe-repositories --repository-names ${{ env.STACK_NAME }}-${{ matrix.image }} | jq -r '.repositories[0].repositoryUri')
+          echo "repositoryUri=$REPO_URI" >> $GITHUB_OUTPUT
+
+      - name: Log in to the repo's container registry
+        uses: docker/login-action@5f4866a30a54f16a52d2ecb4a3898e9e424939cf
+        with:
+          registry: ${{ steps.repositoryUri.outputs.repositoryUri }}
+          username: AWS
+          password: ${{ steps.token.outputs.token }}
+
+      - name: Tag Docker image for ECR
+        run: |
+          docker tag ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.image }}:${{ matrix.tag }} ${{ steps.repositoryUri.outputs.repositoryUri }}:${{ matrix.tag }}
+
+      - name: Check if Docker image exists on ECR
+        id: check-docker-image
+        continue-on-error: true
+        run: |
+          docker manifest inspect ${{ steps.repositoryUri.outputs.repositoryUri }}:${{ matrix.tag }}
+
+      - name: Push Docker image to ECR
+        if: steps.check-docker-image.outcome == 'failure'
+        run: |
+          docker push ${{ steps.repositoryUri.outputs.repositoryUri }}:${{ matrix.tag }}
+
+  deploy:
+    runs-on: ubuntu-22.04
+
+    environment: production
+
+    needs: docker
+
+    env:
+      FORCE_COLOR: 3
+      JSII_SILENCE_WARNING_UNTESTED_NODE_VERSION: 1
+      OPENSSL_LAMBDA_CONTAINER_TAG:
+        ${{ github.event.inputs.openssl_lambda_tag }}
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.inputs.ref }}
+
+      - name: Determine released version
+        id: version
+        run: |
+          git fetch --tags
+          VERSION=`git describe --abbrev=0 --tags --always | tr -d '\n'`
+          echo "VERSION=$VERSION" >> $GITHUB_ENV
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20.x"
+          cache: "npm"
+
+      - name: Install dependencies
+        run: npm ci --no-audit
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE }}
+          role-session-name: github-action-hello-nrfcloud-backend
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - run: npx cdk diff
+
+      - name: Deploy solution stack
+        run: npx cdk deploy --all --require-approval never